Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
payment1.img

Overview

General Information

Sample name:payment1.img
renamed because original name is a hash value
Original sample name:payment1.iso
Analysis ID:1571349
MD5:e3d7f822bff38686c5be70db0781d9e4
SHA1:b876477932df36d70d3203b6558fbe7f827be408
SHA256:4098574e7616f1406e79aa812583a7e58c8b1a06b587d2ae722102ea2d47718d
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Powershell drops PE file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7236 cmdline: C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 7244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7292 cmdline: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • payment1.scr (PID: 7536 cmdline: "E:\payment1.scr" /S MD5: 50A5CC444A549A39942BDF39A0005E4B)
    • powershell.exe (PID: 7684 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "E:\payment1.scr" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7892 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • payment1.scr (PID: 7700 cmdline: "E:\payment1.scr" MD5: 50A5CC444A549A39942BDF39A0005E4B)
      • conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7584 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: payment1.scr PID: 7536JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    Process Memory Space: payment1.scr PID: 7700JoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "E:\payment1.scr", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "E:\payment1.scr", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "E:\payment1.scr" /S, ParentImage: \Device\CdRom1\payment1.scr, ParentProcessId: 7536, ParentProcessName: payment1.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "E:\payment1.scr", ProcessId: 7684, ProcessName: powershell.exe
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7236, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), ProcessId: 7292, ProcessName: powershell.exe
      Sigma detected: Powershell Defender Exclusion
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "E:\payment1.scr", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "E:\payment1.scr", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "E:\payment1.scr" /S, ParentImage: \Device\CdRom1\payment1.scr, ParentProcessId: 7536, ParentProcessName: payment1.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "E:\payment1.scr", ProcessId: 7684, ProcessName: powershell.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7236, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), ProcessId: 7292, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7584, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for dropped file
      Source: \Device\CdRom1\PAYMENT1.SCRAvira: detection malicious, Label: HEUR/AGEN.1306657
      Multi AV Scanner detection for dropped file
      Source: \Device\CdRom1\PAYMENT1.SCRReversingLabs: Detection: 26%
      Multi AV Scanner detection for submitted file
      Source: payment1.imgReversingLabs: Detection: 23%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
      Machine Learning detection for dropped file
      Source: \Device\CdRom1\PAYMENT1.SCRJoe Sandbox ML: detected
      Source: Binary string: bzgPg.pdb source: payment1.scr, 00000006.00000000.1701101441.0000000000582000.00000002.00000001.01000000.00000003.sdmp, payment1.img, PAYMENT1.SCR.2.dr
      Source: Binary string: bzgPg.pdbSHA256^ source: payment1.scr, 00000006.00000000.1701101441.0000000000582000.00000002.00000001.01000000.00000003.sdmp, payment1.img, PAYMENT1.SCR.2.dr
      Source: payment1.scr, 0000000A.00000002.1737403626.00000000030EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $fq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\fq equals www.youtube.com (Youtube)
      Source: payment1.scr, 0000000A.00000002.1737403626.00000000030EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
      Source: payment1.scr, 0000000A.00000002.1737403626.00000000030EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\fq equals www.youtube.com (Youtube)
      Source: payment1.scr, 0000000A.00000002.1737403626.00000000030EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldbP equals www.youtube.com (Youtube)
      Source: payment1.scr, 0000000A.00000002.1737403626.00000000030EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `,fq#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
      Source: svchost.exe, 00000007.00000002.2940289460.0000019F11411000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: svchost.exe, 00000007.00000003.1705992562.0000019F11228000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
      Source: edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: svchost.exe, 00000007.00000003.1705992562.0000019F11228000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: svchost.exe, 00000007.00000003.1705992562.0000019F11228000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: svchost.exe, 00000007.00000003.1705992562.0000019F1125D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: payment1.scr, 00000006.00000002.1723478249.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: payment1.scr, 0000000A.00000002.1737403626.000000000306D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.s
      Source: payment1.scr, 0000000A.00000002.1737403626.000000000306D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
      Source: payment1.scr, 0000000A.00000002.1737403626.000000000312E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
      Source: svchost.exe, 00000007.00000003.1705992562.0000019F112D2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
      Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
      Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
      Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
      Source: svchost.exe, 00000007.00000003.1705992562.0000019F112D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
      Source: svchost.exe, 00000007.00000003.1705992562.0000019F112D2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
      Source: edb.log.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
      Source: payment1.scr, 0000000A.00000002.1737403626.0000000003227000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_e2a55aac-b

      System Summary

      barindex
      .NET source code contains very large strings
      Source: PAYMENT1.SCR.2.dr, Form1.csLong String: Length: 166868
      Powershell drops PE file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: \Device\CdRom1\PAYMENT1.SCRJump to dropped file
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess token adjusted: Security
      Source: payment1.imgBinary or memory string: OriginalFilenamebzgPg.exe> vs payment1.img
      Source: PAYMENT1.SCR.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.troj.evad.winIMG@13/16@0/1
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\tmp.logJump to behavior
      Source: \Device\CdRom1\payment1.scrMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rmvsbghg.yob.ps1Jump to behavior
      Source: \Device\CdRom1\payment1.scrFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: payment1.imgReversingLabs: Detection: 23%
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)
      Source: unknownProcess created: \Device\CdRom1\payment1.scr "E:\payment1.scr" /S
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: \Device\CdRom1\payment1.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "E:\payment1.scr"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: \Device\CdRom1\payment1.scrProcess created: \Device\CdRom1\payment1.scr "E:\payment1.scr"
      Source: \Device\CdRom1\payment1.scrProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)Jump to behavior
      Source: \Device\CdRom1\payment1.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "E:\payment1.scr"Jump to behavior
      Source: \Device\CdRom1\payment1.scrProcess created: \Device\CdRom1\payment1.scr "E:\payment1.scr"Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: mscoree.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: apphelp.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: kernel.appcore.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: version.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: uxtheme.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: windows.storage.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: wldp.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: profapi.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: cryptsp.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: rsaenh.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: cryptbase.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: dwrite.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: amsi.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: userenv.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: msasn1.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: gpapi.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: textshaping.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: windowscodecs.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: propsys.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: edputil.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: urlmon.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: iertutil.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: srvcli.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: netutils.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: sspicli.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: wintypes.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: appresolver.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: bcp47langs.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: slc.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: sppc.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: mscoree.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: kernel.appcore.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: version.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: uxtheme.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: cryptsp.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: rsaenh.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: cryptbase.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: windows.storage.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: wldp.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: profapi.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: dwrite.dllJump to behavior
      Source: \Device\CdRom1\payment1.scrSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
      Source: \Device\CdRom1\payment1.scrKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: payment1.imgStatic file information: File size 1329152 > 1048576
      Source: Binary string: bzgPg.pdb source: payment1.scr, 00000006.00000000.1701101441.0000000000582000.00000002.00000001.01000000.00000003.sdmp, payment1.img, PAYMENT1.SCR.2.dr
      Source: Binary string: bzgPg.pdbSHA256^ source: payment1.scr, 00000006.00000000.1701101441.0000000000582000.00000002.00000001.01000000.00000003.sdmp, payment1.img, PAYMENT1.SCR.2.dr

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: PAYMENT1.SCR.2.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
      Source: PAYMENT1.SCR.2.drStatic PE information: 0xACA19D74 [Tue Oct 11 16:12:36 2061 UTC]
      Source: PAYMENT1.SCR.2.drStatic PE information: section name: .text entropy: 7.249649067012783

      Persistence and Installation Behavior

      barindex
      Drops PE files with a suspicious file extension
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: \Device\CdRom1\PAYMENT1.SCRJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: \Device\CdRom1\PAYMENT1.SCRJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX
      Source: \Device\CdRom1\payment1.scrProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM3
      Source: Yara matchFile source: Process Memory Space: payment1.scr PID: 7536, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: payment1.scr, 0000000A.00000002.1737403626.000000000312E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
      Source: payment1.scr, 0000000A.00000002.1737403626.000000000312E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@\FQ
      Source: payment1.scr, 0000000A.00000002.1737403626.000000000312E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE`,FQ
      Source: \Device\CdRom1\payment1.scrMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
      Source: \Device\CdRom1\payment1.scrMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
      Source: \Device\CdRom1\payment1.scrMemory allocated: 2920000 memory reserve | memory write watchJump to behavior
      Source: \Device\CdRom1\payment1.scrMemory allocated: 8C70000 memory reserve | memory write watchJump to behavior
      Source: \Device\CdRom1\payment1.scrMemory allocated: 9C70000 memory reserve | memory write watchJump to behavior
      Source: \Device\CdRom1\payment1.scrMemory allocated: 9E70000 memory reserve | memory write watchJump to behavior
      Source: \Device\CdRom1\payment1.scrMemory allocated: AE70000 memory reserve | memory write watchJump to behavior
      Source: \Device\CdRom1\payment1.scrMemory allocated: 14D0000 memory reserve | memory write watch
      Source: \Device\CdRom1\payment1.scrMemory allocated: 3030000 memory reserve | memory write watch
      Source: \Device\CdRom1\payment1.scrMemory allocated: 5030000 memory reserve | memory write watch
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: \Device\CdRom1\payment1.scrThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: \Device\CdRom1\payment1.scrThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7340Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2318Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7730Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1855Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep count: 7340 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep count: 2318 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep time: -7378697629483816s >= -30000sJump to behavior
      Source: \Device\CdRom1\payment1.scr TID: 7556Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 7608Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep time: -4611686018427385s >= -30000sJump to behavior
      Source: \Device\CdRom1\payment1.scr TID: 7800Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: \Device\CdRom1\payment1.scrThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: \Device\CdRom1\payment1.scrThread delayed: delay time: 922337203685477
      Source: payment1.scr, 0000000A.00000002.1737403626.000000000312E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
      Source: svchost.exe, 00000007.00000002.2939363763.0000019F0BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2940384648.0000019F1145A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: payment1.scr, 0000000A.00000002.1737403626.000000000312E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe`,fq
      Source: payment1.scr, 0000000A.00000002.1737403626.000000000312E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@\fq
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: \Device\CdRom1\payment1.scrProcess token adjusted: Debug
      Source: \Device\CdRom1\payment1.scrMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Adds a directory exclusion to Windows Defender
      Source: \Device\CdRom1\payment1.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "E:\payment1.scr"
      Source: \Device\CdRom1\payment1.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "E:\payment1.scr"Jump to behavior
      Injects a PE file into a foreign processes
      Source: \Device\CdRom1\payment1.scrMemory written: \Device\CdRom1\payment1.scr base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)Jump to behavior
      Source: \Device\CdRom1\payment1.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "E:\payment1.scr"Jump to behavior
      Source: \Device\CdRom1\payment1.scrProcess created: \Device\CdRom1\payment1.scr "E:\payment1.scr"Jump to behavior
      Source: payment1.scr, 0000000A.00000002.1737403626.0000000003227000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
      Source: payment1.scr, 0000000A.00000002.1737403626.0000000003227000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: \Device\CdRom1\payment1.scr VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: \Device\CdRom1\payment1.scr VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: \Device\CdRom1\payment1.scrKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected RedLine Stealer
      Source: Yara matchFile source: Process Memory Space: payment1.scr PID: 7700, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected RedLine Stealer
      Source: Yara matchFile source: Process Memory Space: payment1.scr PID: 7700, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      PowerShell      		1
      DLL Side-Loading      		112
      Process Injection      		111
      Masquerading      		11
      Input Capture      		211
      Security Software Discovery      		Remote Services11
      Input Capture      		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		11
      Disable or Modify Tools      		LSASS Memory2
      Process Discovery      		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
      Virtualization/Sandbox Evasion      		Security Account Manager41
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
      Software Packing      		Cached Domain Credentials22
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Timestomp      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1571349 Sample: payment1.img Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 35 Antivirus detection for dropped file 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 8 other signatures 2->41 7 payment1.scr 4 2->7         started        10 cmd.exe 2 2->10         started        12 svchost.exe 1 1 2->12         started        process3 dnsIp4 43 Adds a directory exclusion to Windows Defender 7->43 45 Injects a PE file into a foreign processes 7->45 15 powershell.exe 23 7->15         started        18 payment1.scr 3 7->18         started        20 powershell.exe 41 10->20         started        23 conhost.exe 10->23         started        33 127.0.0.1 unknown unknown 12->33 signatures5 process6 file7 25 conhost.exe 15->25         started        27 WmiPrvSE.exe 15->27         started        47 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->47 29 conhost.exe 18->29         started        31 \Device\CdRom1\PAYMENT1.SCR, PE32 20->31 dropped 49 Drops PE files with a suspicious file extension 20->49 51 Loading BitLocker PowerShell Module 20->51 53 Powershell drops PE file 20->53 signatures8 process9

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      payment1.img24%ReversingLabs

      Dropped Files

      SourceDetectionScannerLabelLink
      \Device\CdRom1\PAYMENT1.SCR100%AviraHEUR/AGEN.1306657
      \Device\CdRom1\PAYMENT1.SCR100%Joe Sandbox ML
      \Device\CdRom1\PAYMENT1.SCR26%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://api.ip.s0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.apache.org/licenses/LICENSE-2.0payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.compayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.fontbureau.com/designersGpayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://api.ip.sb/ippayment1.scr, 0000000A.00000002.1737403626.000000000306D000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.com/designers/?payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bThepayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers?payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://crl.ver)svchost.exe, 00000007.00000002.2940289460.0000019F11411000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.tiro.compayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://g.live.com/odclientsettings/ProdV2.C:edb.log.7.drfalse
                          		high
                          https://api.ip.spayment1.scr, 0000000A.00000002.1737403626.000000000306D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designerspayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krpayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.carterandcone.comlpayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sajatypeworks.compayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.typography.netDpayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://g.live.com/odclientsettings/Prod.C:edb.log.7.drfalse
                                      		high
                                      http://www.fontbureau.com/designers/cabarga.htmlNpayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/cThepayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.galapagosdesign.com/staff/dennis.htmpayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnpayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers/frere-user.htmlpayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://g.live.com/odclientsettings/ProdV2edb.log.7.drfalse
                                                  		high
                                                  https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000007.00000003.1705992562.0000019F112D2000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.drfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://discord.com/api/v9/users/payment1.scr, 0000000A.00000002.1737403626.000000000312E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.galapagosdesign.com/DPleasepayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers8payment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fonts.compayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.sandoll.co.krpayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.urwpp.deDPleasepayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.zhongyicts.com.cnpayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepayment1.scr, 00000006.00000002.1723478249.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.sakkal.compayment1.scr, 00000006.00000002.1739139009.0000000006B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000007.00000003.1705992562.0000019F112D2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drfalse
                                                                          		high

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious

                                                                          Private

                                                                          IP
                                                                          127.0.0.1

                                                                          General Information

                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                          Analysis ID:1571349
                                                                          Start date and time:2024-12-09 10:01:20 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 4m 39s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Run name:Potential for more IOCs and behavior
                                                                          Number of analysed new started processes analysed:14
                                                                          Number of new started drivers analysed:3
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:payment1.img
                                                                          renamed because original name is a hash value
                                                                          Original Sample Name:payment1.iso
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.evad.winIMG@13/16@0/1

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): cdfs.sys, MpCmdRun.exe, vhdmp.sys, WMIADAP.exe, SIHClient.exe, conhost.exe, fsdepends.sys
                                                                          • Excluded IPs from analysis (whitelisted): 23.218.208.109
                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • VT rate limit hit for: payment1.img

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          04:02:11API Interceptor46x Sleep call for process: powershell.exe modified
                                                                          04:02:15API Interceptor2x Sleep call for process: svchost.exe modified
                                                                          04:02:16API Interceptor1x Sleep call for process: payment1.scr modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          No context

                                                                          Domains

                                                                          No context

                                                                          ASNs

                                                                          No context

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                          Download File
                                                                          Process:C:\Windows\System32\svchost.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1310720
                                                                          Entropy (8bit):1.3073569589725251
                                                                          Encrypted:false
                                                                          SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrC:KooCEYhgYEL0In
                                                                          MD5:DAD71BAF7390C3883F94CF43B2BD17EC
                                                                          SHA1:E3FAC6FFABB073BD1624E96AE036CA677ACE64AB
                                                                          SHA-256:CE49F6275EA8AB80355812D3DA8C9E9868975DF64E0433183E39F79E4C8680AC
                                                                          SHA-512:6BDF8F8E82437AB2EBF77AD87F77B3413C9D989B492D2A87A32237994E3DF7F64E759FF21A2D895D1308D92F23C500738120BDC87EAE447162009BA882A43B63
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                          Download File
                                                                          Process:C:\Windows\System32\svchost.exe
                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x084169d7, page size 16384, DirtyShutdown, Windows version 10.0
                                                                          Category:dropped
                                                                          Size (bytes):1310720
                                                                          Entropy (8bit):0.4221244433906131
                                                                          Encrypted:false
                                                                          SSDEEP:1536:xSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:xaza/vMUM2Uvz7DO
                                                                          MD5:5BC29845FFC2E289C391B6A1275823AE
                                                                          SHA1:F55E6BD8D5D054C30AD469F12286DF635D054285
                                                                          SHA-256:960F1AACA5B35EDD51BB6BD3F83D010FCC5D2913574AAA930B8B1DA068273F01
                                                                          SHA-512:BA6422FAF272098793322684B4B16F791CB93A1A837165D80707A851E40E41C1BA5700A807311E4D3DB2F9F4D7DE0463AA3BC229BCFA45D59836742B59458791
                                                                          Malicious:false
                                                                          Preview:.Ai.... .......A.......X\...;...{......................0.!..........{A......|Y.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................>..%.....|Y.................p.H......|Y..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                          Download File
                                                                          Process:C:\Windows\System32\svchost.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):16384
                                                                          Entropy (8bit):0.0770300477461845
                                                                          Encrypted:false
                                                                          SSDEEP:3:slXKYedsZGjjn13a/MOAllcVO/lnlZMxZNQl:EKzd8Gj53qMOAOewk
                                                                          MD5:6F273ABACCA2B359A2FB422A3492DB66
                                                                          SHA1:F696A7B5422A5A9B79B21F92F003A0CEF474C1FD
                                                                          SHA-256:CC0CA2FAADE8CB7EAD34B2957268B794F1E57AF2115171BAB2D3CA18976C71CC
                                                                          SHA-512:93416A5F3D6FD8787ED6D6C81B89A063676A8D7ACAAC2EDABC4739B45D37A1F8090522CF5B78B5F55614C1571911E1FC64FC4628A8C9FF635D2C64F527CB8EF4
                                                                          Malicious:false
                                                                          Preview:C........................................;...{.......|Y......{A..............{A......{A..........{A]................p.H......|Y.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment1.scr.log

                                                                          Download File
                                                                          Process:\Device\CdRom1\payment1.scr
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1216
                                                                          Entropy (8bit):5.34331486778365
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                          Malicious:false
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):2232
                                                                          Entropy (8bit):5.379820951068425
                                                                          Encrypted:false
                                                                          SSDEEP:48:0WSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//8M0Uyus:0LHxvCsIfA2KRHmOugw1s
                                                                          MD5:0A4E285C045A326EDE882265E051B1E5
                                                                          SHA1:DB981D1FFBFCE3B5220939CF19EE4E1F781A4627
                                                                          SHA-256:CE4D2A025D88CFAFE3804A365AC13264F39DC6826A92FBC549244A1FFCA8A6C6
                                                                          SHA-512:1BE7397A5B143CD1B1905C3DAB24A088AE77FEA7ACEA2DB45D6550D411D82FC57A2990E4ED119966D7EE4C8F09D893D7C31487106C7E5C0580DF0AE71EEF5127
                                                                          Malicious:false
                                                                          Preview:@...e...............................!................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ahowjgq.dl4.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adv1ckjq.ixw.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cssxwehb.bl0.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvrda2z5.hru.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5e23rdh.gcj.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pcdnydxo.ibf.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rmvsbghg.yob.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tpa3uv4u.0pv.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\Desktop\tmp.log

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):300
                                                                          Entropy (8bit):4.388544310577848
                                                                          Encrypted:false
                                                                          SSDEEP:6:wvMYFVEh1IMeQie1ErQNwvucIPHg2a9yofQit06X//F:wvMYFVEh15eQgnWXg2a9yWQE06XV
                                                                          MD5:96CF3236EB42A461DF4A1915B4F10631
                                                                          SHA1:70DEC184CBE12CC6361ADE2714B85A604252B2ED
                                                                          SHA-256:0D9E12C67C29BD7157B4B02AF79E40797D5782C2185C8219EE104DB55D584DC2
                                                                          SHA-512:C3C3711C6320B1ED81979C4354EF19CB7849F48069FB0515A51ED5B32454CC7F9C8F0FF9FF52DFCF7BD5708B01115191E5821F707C042E1C6C2A3855617600AB
                                                                          Malicious:false
                                                                          Preview:....Attached : True..BlockSize : 0..DevicePath : \\.\CDROM1..FileSize : 1329152..ImagePath : C:\Users\user\Desktop\payment1.img..LogicalSectorSize : 2048..Number : 1..Size : 1329152..StorageType : 1..PSComputerName : ........

                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                          Download File
                                                                          Process:C:\Windows\System32\svchost.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):55
                                                                          Entropy (8bit):4.306461250274409
                                                                          Encrypted:false
                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                          Malicious:false
                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                          \Device\CdRom1\PAYMENT1.SCR

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1266176
                                                                          Entropy (8bit):7.24494033682766
                                                                          Encrypted:false
                                                                          SSDEEP:24576:sLtktkLeEAMVF+yTlc9v42d5AVW90aGTNDD1:sRSKeEtV42c5zdCwUl
                                                                          MD5:50A5CC444A549A39942BDF39A0005E4B
                                                                          SHA1:F1689F72AAAD71BA3E860685791C38F0AC93D399
                                                                          SHA-256:2A8AFCD73B04E7A6285D428D348753B5D4E91E8E0C62EC44A1E54F678923DC0C
                                                                          SHA-512:035FB44BBED4EA5096C8197E4ED5F63E5EDE18E13184335EC30A87D2967611252E2FD9CA2D8F060CC3A6A4C35A4F2FCCC8A7CF7BBEE8457852A89473A1572062
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 26%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.................0..H...........g... ........@.. ....................................@..................................f..O...................................dN..p............................................ ............... ..H............text....G... ...H.................. ..`.rsrc................J..............@..@.reloc...............P..............@..B.................f......H............R......J........o...........................................0............}......}.....(.......(......{...........%.r...p(....s.....%.r...p(....s.....%.r%..p(....s.......o.......(...+....-....o....&*..0...........s2.....o.....*..0...........sA.....o.....*..0...........s/.....o.....*..0...........s8.....o.....*..0...........s;.....o.....*..0...........s>.....o.....*..0...........s5.....o.....*..0...........sD.....o.....*..0...........sG.....o.....*..0...........s .

                                                                          Static File Info

                                                                          General

                                                                          File type:ISO 9660 CD-ROM filesystem data 'payment1'
                                                                          Entropy (8bit):7.02876736273596
                                                                          TrID:
                                                                          • ImgBurn Image (2052548/1) 49.86%
                                                                          • null bytes (2050048/1) 49.80%
                                                                          • Photoshop Action (5010/6) 0.12%
                                                                          • Lotus 123 Worksheet (generic) (2007/4) 0.05%
                                                                          • HSC music composer song (1267/141) 0.03%
                                                                          File name:payment1.img
                                                                          File size:1'329'152 bytes
                                                                          MD5:e3d7f822bff38686c5be70db0781d9e4
                                                                          SHA1:b876477932df36d70d3203b6558fbe7f827be408
                                                                          SHA256:4098574e7616f1406e79aa812583a7e58c8b1a06b587d2ae722102ea2d47718d
                                                                          SHA512:f395ad9db5006334b77d167c44234a63b0053b1475b6022ffcfbcf90082b3c2c978f2c29297c0b51fae246e9fb4a2d280798e930d51f84ec130391c20ef07efe
                                                                          SSDEEP:24576:ELtktkLeEAMVF+yTlc9v42d5AVW90aGTNDD1:ERSKeEtV42c5zdCwUl
                                                                          TLSH:2655F63D497922EBC0A5C6BDCBE89827F610A86F7150ACA494C647A57357F4B34C323E
                                                                          File Content Preview:...............................................................................................................................................................................................................................................................

                                                                          Network Behavior

                                                                          No network behavior found

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:04:02:10
                                                                          Start date:09/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1
                                                                          Imagebase:0x240000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:1
                                                                          Start time:04:02:10
                                                                          Start date:09/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:04:02:11
                                                                          Start date:09/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)
                                                                          Imagebase:0x700000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:04:02:15
                                                                          Start date:09/12/2024
                                                                          Path:\Device\CdRom1\payment1.scr
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"E:\payment1.scr" /S
                                                                          Imagebase:0x580000
                                                                          File size:1'266'176 bytes
                                                                          MD5 hash:50A5CC444A549A39942BDF39A0005E4B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:7
                                                                          Start time:04:02:15
                                                                          Start date:09/12/2024
                                                                          Path:C:\Windows\System32\svchost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                          Imagebase:0x7ff6eef20000
                                                                          File size:55'320 bytes
                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:8
                                                                          Start time:04:02:17
                                                                          Start date:09/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "E:\payment1.scr"
                                                                          Imagebase:0x700000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:9
                                                                          Start time:04:02:17
                                                                          Start date:09/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:10
                                                                          Start time:04:02:17
                                                                          Start date:09/12/2024
                                                                          Path:\Device\CdRom1\payment1.scr
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"E:\payment1.scr"
                                                                          Imagebase:0xc70000
                                                                          File size:1'266'176 bytes
                                                                          MD5 hash:50A5CC444A549A39942BDF39A0005E4B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:04:02:17
                                                                          Start date:09/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:12
                                                                          Start time:04:02:19
                                                                          Start date:09/12/2024
                                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                          Imagebase:0x7ff693ab0000
                                                                          File size:496'640 bytes
                                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Disassembly

                                                                          No disassembly